South London Healthcare NHS Trust

What

Loss of sensitive personal data.

How much

Approximately 750 records

Why

Two unencrypted memory sticks were lost, one two separate occasions. A clipboard of ward lists was left in a grocery store and some patient paper files were inadequately secured when not in use.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that portable and mobile media devices containing personal data are encrypted to a sufficient standard and that staff are made aware of, and trained in, data protection policies.

Reason for action

On all of these occasions, staff were either unaware that the memory sticks they used should have been encrypted, or had removed or failed to secure data in breach of in-place policies.

When

11 Apr 2012

Links

View PDF of the South London Healthcare NHS Trust Undertaking (Via ICO Website)

View PDF of the South London Healthcare NHS Trust Undertaking (Breach Watch Archive)

Fairbridge

What

Loss of personal data on two occasions.

How much

325 and 16 records.

Why

On two separate occasions password protected, but unencrypted laptops were lost. One was left on a bus and the second was reported missing by an employee while boarding a plane in a Spanish airport.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices containing personal data are sufficiently encrypted.

Reason for action

Whilst neither laptop has been recovered to date they did not contain any sensitive personal data. Since the incident occurred the data controller has ensured the encryption of mobile devices that contain personal data and provided all employees with data protection training.

When

10 February 2012.

Links

View PDF of the Fairbridge Undertaking (Via ICO Website)

View PDF of the Fairbridge Undertaking (Breach Watch Archive)

Basingstoke and Deane Borough Council

What

Inappropriate disclosure of personal and sensitive personal data on several occasions.

How much

29 records at minimum.

Why

On one occasion an individual received a letter relating to alleged benefit fraud concerning a third party and received a list of 29 occupants residing at two supported housing properties. Additionally on two later occasions customer details were inappropriately disclosed and personal data was made available online for a several days.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

These numerous breaches in close proximity highlighted a lack of sufficient training and security measures relating to data protection amongst staff. The Commissioner is satisfied that the data controller will implement suitable remedial steps however

When

10 February 2012.

Links

View PDF of the Basingstoke and Deane Borough Council Undertaking (Via ICO Website)

View PDF of the Basingstoke and Deane Borough Council Undertaking (Breach Watch Archive)

Midlothian Council

Breach details

What Inappropriate disclosure of sensitive personal data on five separate occasions.
How much Five records.
When March 2011
Why Personal data relating to children and their carer were sent to the wrong recipients on five separate occasions.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 140,000
When 30 01 2012

Why the regulator acted

Breach of act Multiple letters were sent to the wrong recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the first breach the risk was clear, yet 4 more breaches occurred over the next month.
Likely to cause damage or distress Personal information of vulnerable individuals.

North Somerset Council

Breach details

What Inappropriate disclosure of sensitive personal information.
How much Two records.
When 12 November 2010
Why A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 28 November 2011

Why the regulator acted

Breach of act Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted.
Inappropriate organisational and technical measures.
Known or should have known Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact.
Likely to cause damage or distress Data related to vulnerable individuals and could be misused.

University Hospitals Coventry & Warwickshire NHS Trust

What

Loss of sensitive personal data on two occasions.

How much

One record and 18 records.

Why

A patient’s medical record was allegedly found in a waste bin outside Coventry’s University Hospital by a member of the public. Two months previously the records of 18 patients were found in a public waste bin in a residential apartment block.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that policies relating to the storage, use, disposure and removal from the premises of personal information are made clear to staff and that compliance is monitored.

Reason for action

The short time between the two incidents suggested that insufficient measures were being taken to safeguard personal data.

When

27 October 2011.

Links

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Via ICO Website)

View PDF of the University Hospitals Coventry & Warwickshire NHS Trust Undertaking (Breach Watch Archive)

Kirklees Metropolitan Council

What

Personal data unnecessarily disclosed.

How much

18 records.

Why

Records let visible in an employees’ car.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that sufficient security measures are implemented and checked to prevent inappropriate disclosure of personal data.

Reason for action

Similar accidental disclosures had already occurred during the past year and insufficient measures had been put into place to prevent any reoccurrences.

When

29 July 2011.

Links

View PDF of the Kirklees Metropolitan Council Undertaking (Via ICO Website)

View PDF of the Kirklees Metropolitan Council Undertaking (Breach Watch Archive)

The Ipswitch Hospital NHS Trust

What

Loss of sensitive personal data.

How much

29 records.

Why

A member of staff lost patient’s records in a public place.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal data is kept sufficiently secure and that staff are made aware that the removal of such data without clearance is unacceptable.

Reason for action

The member of staff had recently joined the organisation and received no information governance training. This followed a similar loss of data the previous year.

When

01 July 2011.

Links

View PDF of the Ipswitch Hospital NHS Trust Undertaking (Via ICO Website)

View PDF of the Ipswitch Hospital NHS Trust Undertaking (Breach Watch Archive)

Surrey Council

Breach details

What Loss of sensitive personal information on three occasions.
How much 241 records.
When May – June 2010
Why Records were accidently sent out in an email copied to a global distribution list, minutes of a confidential strategy discussion erroneously emailed to a newsletter distribution group. Additional records were erroneously emailed to an incorrect internal email group.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
When 9 June 2011

Why the regulator acted

Breach of act Emails were unencrypted and sent to the wrong recipients.
Inappropriate organisational and technical measures.
Known or should have known The risk of incorrect drop down boxes being selected were “self evident”.
Likely to cause damage or distress Records related to special needs.

Norwich City College of Further and Higher Education

What

Loss of sensitive personal information on two occasions.

How much

80 records.

Why

Hard copy records were disposed of inappropriately and insecurely.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that a formal policy for the disposal of confidential waste be written and implemented.

Reason for action

The records were disposed of in standard black bin liners and were thrown into a skip on college grounds by cleaning staff, the same as any other waste.

When

19 April 2011.

Links

View PDF of the Norwich City College of Further and Higher Education Undertaking (Via ICO Website)

View PDF of the Norwich City College of Further and Higher Education Undertaking (Breach Watch Archive)